All Products
Search

This Product

    API Gateway:Configure OIDC authentication

    Document Center

    API Gateway:Configure OIDC authentication

    Last Updated:May 30, 2025

    The integration between the OpenID Connect (OIDC) protocol and an enterprise authentication system helps implement unified authentication and authorization management of internal services. This reduces repeated coordination operations and simplifies the authentication process. AI Gateway provides unified authentication, enhances system security, and offers more flexible security policy configuration. Single sign-on (SSO) is also supported based on the integration with the OIDC protocol. You can access multiple services by using SSO.

    Prerequisites

    A unified authentication service that supports the standard OIDC protocol is created.

    Background information

    To control external access to internal services, gateways authenticate external requests to ensure service security. Enterprises typically build their own unified authentication system. AI Gateway supports integration with self-built authentication systems through the OIDC protocol. AI Gateway also provides unified authentication for internal services and eliminates the need for each service to connect with the authentication system separately.

    OIDC authentication

    OIDC is an authentication protocol. Based on this protocol, third-party applications can connect to identity providers to obtain user information, and then identity providers send the obtained user information to the third-party applications in a secure and reliable manner. OIDC extends the OAuth2.0 protocol to provide basic user identity information by using the extended ID Token field. ID Token is encapsulated in JSON Web Token (JWT) format to provide a self-contained and tamper-proof mechanism. This ensures that ID Token can be securely transmitted to third-party applications and easily verified.

    The following roles are formalized in OIDC:

    • Client: provides services directly to end users.

    • Authorization server: the OpenID provider, typically an OpenID authorization server. The authorization server issues ID tokens to third parties. The ID tokens are used for authentication.

    • Business server: provides business services.

    • End user: the resource owner.

    image

    The following steps are included:

    1. The client sends an authentication request to the authorization server.

    2. The end user logs on to the authorization page by using the username and password and confirms the authentication request.

    3. The authorization server validates the authentication request and sends an authorization code to the client.

    4. The client sends a callback request that contains the authorization code to the business server.

    5. The business server sends a request to the authorization server. The request contains the authorization code, client ID, and client secret.

    6. The authorization server validates the request and returns an ID token.

    7. If the authentication is successful, the business server sends the ID token to the client.

    8. The client constructs a business request that includes the ID token and sends the business request to the business server.

    9. The business server validates the ID token and returns a business response to the client.

    OIDC authentication in AI Gateway

    In the preceding OIDC authentication process, if multiple business servers, such as user and order servers, exist, authentication must be implemented separately for each business server. For example, requests must be separately validated, and each business server must be connected with the authorization server. The OIDC authentication feature of AI Gateway allows you to implement unified authentication at the gateway level.

    image

    The following steps are included:

    1. The client sends an authentication request to the gateway.

    2. The gateway forwards the authentication request to the authorization server.

    3. The authorization server verifies the authentication information, such as the username and password, in the authentication request. After the request passes the verification, the authorization server returns an authorization code to the gateway.

    4. The gateway sends the response that contains the authorization code to the client.

    5. The client sends a callback request that contains the authorization code to the gateway.

    6. The gateway sends a request to the authorization server. The request contains the authorization code, client ID, and client secret.

    7. The authorization server validates the request and returns an ID token.

    8. The authorization is complete. The gateway sends the ID token to the client.

    9. The client constructs a business request that includes the ID token and sends the business request to the gateway.

    10. The gateway validates the business request from the client and forwards the request to the business server.

    11. The business server processes the business request and sends a business response to the gateway.

    12. The gateway forwards the business response to the client.

    During the entire authentication process, AI Gateway validates whether all the received requests are valid. If a request is invalid, AI Gateway redirects to the user logon page and sends a request to the authorization server for user logon. This way, the authorization server is transparent to the business server.

    Create an authentication rule

    1. Log on to the AI Gateway console.

    2. In the left-side navigation pane, click Instance. In the top navigation bar, select a region.

    3. On the Instance page, click the ID of the gateway instance you want to manage.

    4. In the left navigation bar, click Security Management > Global Authentication.

    5. In the upper-left corner of the page, click Create Authentication to configure the gateway authentication parameters, and then click OK.

      The following table describes the parameters for AI Gateway OIDC authentication.

      Parameter

      Description

      Enable

      Specify whether to enable AI Gateway authentication.

      Authentication Name

      The custom name of the AI Gateway authentication.

      Authentication Type

      Select OIDC.

      Domain Name

      The domain name for which the authentication rule takes effect.

      Issuer

      Enter the name of the issuer.

      Redirect URL

      Enter the redirect URL that is used after the authorization is complete. The value must be the same as the redirect URL that is configured in OIDC.

      Important

      The parameter value is in the http(s)://yourdomain/path format. In this format, path must be set to /oauth2/callback.

      Client ID

      Enter the ID of the application in the service registration information.

      Client Secret

      Enter the application secret in the service registration information.

      Cookie Domain

      Enter the domain name of the cookie. After the user passes authentication, the cookie is sent to the specified domain name to maintain the logon status of the user. For example, if you set Cookie-domain to a.example.com, the cookie is sent to the a.example.com domain. If you set Cookie-domain=a.example.com, the cookie is sent to the a.example.com domain. If you set Cookie-domain=.example.com, the cookie is sent to all subdomains of example.com.

      Cookie Secret

      Add a digital signature when creating a cookie to ensure it cannot be illegally tampered with.

      Scope

      Enter the OIDC scope. Separate multiple values with semicolons (;).

      Authorization

      Select the authorization method. Valid values: Whitelist and Blacklist.

      • Whitelist: Only requests with the hostnames and paths that you specify in the whitelist can access the gateway without authentication.

      • Blacklist: Only requests with the host domain names and paths that you specify in the blacklist require authentication.

      Click +Rule Condition to set the request domain name and path.

      • Domain: The domain name of the request, which is hosts.

      • Path: The API path of the request, which is the path.